01.
Selected Work
These mandates show how I lead across privacy, data governance, AI risk, regulatory delivery, board reporting, and first-of-kind operational builds.
Flagship Built a Regional Privacy Operating Model That Became the Internal Benchmark.
Privacy Operating Model / Global Financial Institution / Regional Build I built a regional privacy operating model for a global financial institution and anchored it with a business-wide champion network.
The GDPR uplift reached the region with limited central support and limited implementation capacity. I translated the European framework into a model that fit the market, the operating environment, and the business rhythm.
The regional model landed ahead of comparable markets and became a reference point for later uplift work.
The model scaled, held, and became the reference point other regions followed.
Built AI Governance With Enterprise Risk Discipline.
AI Governance / Listed Critical Infrastructure I built the AI governance framework for a listed critical infrastructure business as board scrutiny and adoption accelerated.
I extended the privacy and data protection program I already led because I treat AI governance as enterprise governance, not a standalone policy exercise.
The framework covers vendor AI risk, model training and ingestion issues in due diligence, automated decision-making compliance, Trusted AI alignment to ISO 42001, AI use case approval, and board reporting on AI risk exposure.
The program now governs new AI deployments, identifies risks technical teams had missed, and applies retrospective scrutiny to AI already in production.
Turned Paper Privacy Programs Into Operating Functions.
Operating Model Reset / Regulated Environments / Repeatable Pattern I take privacy programs that look complete in a board pack and turn them into functions the business can run.
Across a major Australian financial services group, a global financial institution, and a listed critical infrastructure business, I turned documented programs into working functions with clear ownership, usable artefacts, and decision pathways the business would actually follow.
I embed governance into workflows the business already runs. I translate obligations into decisions. I simplify the framework until people use it.
In one critical infrastructure transformation, I reviewed a paper privacy program in my first three months, removed work that would not change the control environment, and redirected effort toward the parts of the program that would actually hold.
The programs I build stay in place, scale, and keep working after I leave. That early reset removed unnecessary spend, delivered $500K in savings, and turned a paper-heavy transformation stream into a more usable operating program.
Built a Global Financial Institution's First Data Retention and Disposal Engine.
Data Lifecycle / Global Financial Institution / First of Its Kind I designed and built the group's first end-to-end data retention and disposal engine across policy, classification, legal hold, and technical implementation.
I inherited a data retention and disposal program scoped as a major transformation initiative. I right-sized the approach, reduced delivery complexity, and brought the project from a $10M trajectory to a substantially leaner delivery model while still building the governance engine the organisation needed.
I drove the structured clean-up of decades of unstructured data, moved teams from local network drives to cloud SharePoint, and made classification and disposal part of the migration itself.
In parallel, I ran a major archive destruction program and drove a unified client view across legacy systems during core system modernisation so retention terms could work across platforms that had never aligned.
The program ultimately delivered as a materially lower-cost build, with multi-million-dollar avoided spend, a 70% reduction in paper records, and the data classification baseline for later privacy and data governance work.
Built GDPR Readiness Advisory During the Enforcement Countdown.
GDPR Readiness / Brussels / Cross-Sector Advisory I built and delivered GDPR readiness advisory from Brussels during the enforcement countdown, when boards and senior management teams were trying to turn a new regulation into operating decisions.
Across more than 25 assessments, I translated privacy, security, and legal requirements into prioritised roadmaps for organisations across healthcare, automotive, retail, manufacturing, finance, and government.
The flagship engagement was a multi-month embed with a global automotive group. I led data mapping across a complex multinational structure with legacy systems, regional silos, and supply-chain data flows. That work anchored the organisation's Binding Corporate Rules program and gave leadership the factual base for the privacy work that followed.
The practice gave me my foundation in board and senior-management advisory during fast-moving regulatory change: diagnosing exposure quickly, prioritising remediation, and turning legal uncertainty into a program executives could fund and run.
Led Board Advisory and Incident Response Under Pressure.
Board Governance / Incident Response / Regulated Environments I brief boards and executive teams on privacy, data, cyber-privacy convergence, and AI risk in language that supports decisions.
My work has covered corporate transactions, post-incident analysis, enforcement trends, maturity reporting, and emerging regulatory exposure.
I have also led privacy response during live incidents, including governance over the proposed ingestion of externally compromised data for fraud and financial crime controls, ransomware-related third-party exposure, and multiple data breach investigations. That work required coordination across legal, cyber security, technology, operations, external forensic providers, and external counsel.
The value is not just incident handling. It is helping boards understand what happened, what exposure remains, what needs to change, and where governance needs to tighten before the next incident tests the organisation again.